Patching really does work

I’ve been wanting to do a study like this for a long time. I’m glad someone else finally did:

The German Federal Office for Information Security (BSI) previously recommended that users should keep their Windows systems up to date, should ideally use Google Chrome and should avoid using Java at all if possible. The efficacy of these simple protection measures has now been demonstrated in a study carried out by the BSI. It used two different Windows systems to visit a total of 100 web sites hosting drive-by downloads (malicious code which spreads primarily by exploiting security vulnerabilities).

Unsurprisingly (to me, if not to certain security cynics), keeping your browser and plug-ins patched (and disabling Java if not in use) is effective in most instances:

The results speak for themselves, with the vulnerable system picking up 36 infections from visiting infected websites, whilst the system configured according to BSI recommendations picked up none.

The message is clear: teaching users a few basics, like how (and why) to keep their browser and plugins up to date, can dramatically reduce users’ risk of infection.

(hat tip to Denis Sinegubko for the link)


The unwarranted war on AV products

“Antivirus software a waste of money for businesses” crows the headline of a recent story, one of many missives against antivirus (AV) software driven by an outdated understanding of how such software works. The truth is that the death of AV tools’ effectiveness has been greatly exaggerated.

Traditionally, antivirus software was powered by signatures: digital fingerprints that uniquely identify malicious files or code snippets. The AV software on a computer would receive updates of its signatures once per day or week from the AV company, ensuring it could protect the user from the latest threats. The effectiveness of an AV product was determined primarily by the number of different signatures available and how quickly they were distributed. Tools like VirusTotal arose to make it easy to see which AV tool could detect a particular piece of malware. Product testing labs and tech journalists could load up a computer with a bunch of malware files and easily compare detection rates across products.

Today, everything has changed. Malware evolves far too quickly—sometimes even on a per-download basis—for AV products to depend on daily signatures. As one would expect, most of the major vendors have responded, dramatically increasing the frequency of signature updates and supplementing signatures with new approaches. Here are a few features that have become popular in major AV products recently:

  • If you download a file, the AV product will check it against a whitelist of known safe files. If it’s not on the whitelist and it doesn’t match a malware signature, the product will analyze the file’s behavior and/or reputation in real time (either on the computer or via the cloud) before allowing it to run.
  • If your browser connects to a website/URL known to distribute malware, the user will receive a warning and/or the browser will be blocked from downloading potentially harmful files.
  • If unknown software on your computer attempts to engage in a potentially harmful behavior (e.g., installing a new add-on in your browser), it will be  blocked and/or the user will receive a warning.
  • If a web page or online ad attempts to exploit a vulnerability to install malware on your computer, the AV tool will block the attempt.

By layering several approaches (including the use of signatures) atop each other, today’s AV products protect users far more effectively than their predecessors. Unfortunately, many people, even in the security industry, are not aware of this evolution. It’s common to see articles like the one above that claim AV tools are still primarily signature based and that use VirusTotal (which only assesses signature-based detection) as a gauge of AV effectiveness. In reality, this is like assessing the effectiveness of a building’s security system based only on its window alarms, while ignoring its motion detectors and cameras. When you look at tests that attempt to simulate real-world user behavior, such as visiting malicious websites and opening infected email attachments, it’s clear that AV is far more effective than the pundits claim. A recent set of studies by Dennis Technology Labs, for example, found that products prevented infection in between 53% and 100% of cases—far more effective than the pundits claim. The range of results shows that the more important discussion is about which tools and methodologies work best. (Some other important areas of comparison are false positive rates, the tools’ impact on system performance, and user experience.)

It’s time to end the unwarranted war on AV products. They may not be perfect—nothing is—but they do continue to earn their place alongside a range of other security measures in companies and homes alike.

Moving on from StopBadware

I recently made the difficult decision to step down as executive director of StopBadware. Though I didn’t start StopBadware—credit for that goes to John Palfrey, Jonathan Zittrain, and their collaborators—it has been my adopted baby for over five years now. What once was an energetic and chaotic Berkman Center project is now an independent (though still energetic and at times chaotic) nonprofit organization working together with many of the world’s greatest Web companies. I’m proud of the contributions I’ve made to StopBadware’s success, and I’m gratified that the organization has matured to a point that I can feel comfortable passing the reins to someone else. In fact, it’s not just that I feel comfortable doing so; I actually look forward to it. After five years, I think StopBadware will benefit from some fresh ideas and a new vision of what can be accomplished by leveraging the organization’s dynamic team, supportive partners, impressive board of directors, and positive reputation.

I believe the change will do me good, as well. During my time at StopBadware, I’ve built relationships with a lot of amazing people and learned from a boatload of mistakes (and the occasional success). I’m ready to take that experience into a new environment with new types of problems to solve. A reboot for my professional soul, if you will.

Some people have asked me where, specifically, I’m headed. I’m still exploring my options, but I do have some ideas of what I’m looking for. I know I want to remain in greater Boston, though I’m open to some travel. I’d like to make the best possible use of my experience leading a team and an organization. I enjoy building external relationships, public speaking, and otherwise interacting with people. Remaining in the security field would be ideal, though another area of interest is the intersection of technology and education. And, perhaps most of all, I want to feel good about what I’m contributing to my organization and what my organization is contributing to the world. Private sector? Nonprofit? Government? I’m open; it all depends on the fit.

Meanwhile, I’m not walking out the door at StopBadware until we’ve found a new executive director. Please, if you know a strong candidate, pass along the job description. And if you’re a strong candidate, let the Board’s search committee know why by sending a cover letter and resume to

Privacy choice done well

I recently switched my ISP and cable provider from Comcast to Verizon. Yesterday, I received an email from Verizon describing some plans they have for facilitating geo-targeting of online ads. The email stood out to me as an example of privacy choice done well, for several reasons:

  • Verizon contacted me proactively by sending me an email, instead of expecting me to notice a change in the privacy policy or a note on my bill.
  • The email was clear and concise, explaining exactly what was planned and what the impact would be on me if I didn’t opt out (or if I did).
  • Opting out, if I so desired, simply required changing a setting in my online account.

Verizon should be commended for handling this new initiative in a way that demonstrates respect for their customers. Other service providers, Internet and otherwise, would do well to follow Verizon’s example.

Teaching “geek thinking”

In the past six months, I’ve become a bit addicted to a TV show called “Holmes Inspection.” In each episode, a family has a major problem—sometimes several—with their new home. Mike Holmes comes in, does a detailed inspection, points out everything the original home inspector missed, and then “makes it right” by fixing everything up properly.

Now, please understand, I know nothing about home repair or the building trades. I’m the last person you want to see with a hammer in his hand. But, as I’ve watched the show, something interesting has happened: I’ve started thinking a bit like a builder or home inspector. I may not know how to install attic vents, but the next time I’m in my attic, I guarantee I’ll look around to make sure the vents seem “right.” And I have some sense of what “right” means, even if I don’t know every intricacy to look for. Before, I wouldn’t have even thought about the vents.

I think this carries a lesson for how we educate “the masses” about the effective, safe, and responsible use of technology, the more I think we have to focus on teaching “geek thinking.” Just as a good home inspector looks at a house differently than most of us, a geek experiences new technology and new technological challenges differently than most people. When a non-geek sees an error message, he thinks “what am I supposed to do now?” When a geek sees an error message, she thinks “how do I find out what this means and what I should do,” and she has a few basic strategies for finding the answer. It’s a different mindset, and it’s what we have to start exposing people to.

Learning geek thinking won’t make people into technology experts any more than watching Holmes Inspection has prepared me for working as a building contractor. But it will help them be more informed, prepared consumers of technology, and wouldn’t it be nice to have more of those in the world?

Two lives, one account

Netflix seems to think that all its customers are single.

Each month, I spend $16 on Netflix for video streaming and DVD delivery. Notice that I didn’t say we spend $16. That’s because Netflix is fundamentally an individual service with no recognition that someone might live and watch TV and movies with other people.

My wife and I are like most married couples; we have overlapping, but not identical, taste. Sometimes, in the evening, we’ll sit down together to watch an episode of White Collar or Luther together via Netflix streaming or The King’s Speech on DVD. Other times, I’ll catch up on reruns of Sports Night while she’s out, or she’ll take advantage of my absence to watch a mini-marathon of Prison Break.

Netflix’s problem isn’t a lack of choices; it’s the use of a single user account for a service that is aimed at households. If my wife wants to add a movie to our queue, she has to log in to Netflix using my email address and password. If it’s time to rate the movie Diner, we have a choice: rate it four stars for me, two stars for her, or three stars to split the difference. The first two mean our Netflix recommendations will be suited for only one of us. The last means we’ll get recommendations that are good for both of us, but we’ll each miss out on suggestions of content that one of us would really like and the other wouldn’t. And, given that we only receive one DVD at a time, do I even need to mention the fights over the order of the queue?

The frustrating thing about this is that Netflix could do so much better. A single paid account could be tied to multiple logins. We could each rate our own content and receive our own recommendations, while sharing the same “watch instantly” and DVD delivery queues. An optional feature could even allow us to each have his/her own delivery queue, and then take turns delivering movies from each. (A quick Google search shows that someone proposed this idea for Netflix five years ago; we’re still waiting.)

Imagine the potential for a family with kids. A parent could enable a filter on his kids’ accounts, allowing the kids to only browse movies rated G or PG. And anything added to the queue by the kids could generate an email to the parent for review or approval.

Instead of offering a set of features to help households really maximize their enjoyment of Netflix, the service forces the user experience to mimic the business model: one account, one user. Of course, I should point out that it’s not just Netflix. Amazon Prime, for example, allows multiple user accounts to share the free shipping, but not the free streaming videos or Kindle lending library. This despite both our user accounts having the same address and the same default credit card!

It’s time for online entertainment services to move beyond the one account, one user paradigm, and to start meeting people where they live. You know, in a home with other people.

Have you seen examples of online services that manage multiple person households well? If so, please let me know in the comments!